Let's Encrypt ACME client outdated by letsencrypt

[sksbir]

Hi
Here is a mail I just received after renewing my certificat:

Client IP address: <my IP>
User agent:
Hostname(s): "<my domain>"
Request time: 2020-02-16 ....UTC
Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/

If you're unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don't know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there's an existing solution for your question. If there isn't, please create
a new topic and fill out the help template.

ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end ... for-acmev1

As a reminder: In the future, Let's Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you're working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let's Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
we use to validate, and this list may change at any time.

To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/abo ... s-category

Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!

All the best,

Let's Encrypt

[orion]

I thought NAS uses cerbot, but it seems not?? You'd better to report it to asustor directly too.

[RainCaster]

I get a failure message from this now. "Unable to apply settings. Please try again. (Ref. 5401)"

I wonder if the challenge fails because of the odd port number being used. (not 80/443)

[orion]

I get a failure message from this now. "Unable to apply settings. Please try again. (Ref. 5401)"

I wonder if the challenge fails because of the odd port number being used. (not 80/443)

I guess that's a different story from OP. And, yes, you'll need to let port 80 open for your web site (letsencypt requirement). https://www.asustor.com/en/online/Colle ... ?topic=324

[jauling]

I see in the release notes that 3.4.6.RCO3 (released on 2019-12-25) should have introduced ACMEv2. I've been running 3.4.7.RFO2 for over 5 weeks now, but I recently got an email from Let's Encrypt saying that ACMEv1 was used on 2020-04-29 to renew my certs.

I see a crontab entry for root on my AS5104T that is executing this daily at midnight:

Code: Select all

0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert

Anyone figure out how this client works? I looked at the binary, and it reads the file /usr/builtin/etc/certificate/certificate.json, which seems to show that my Let's Encrypt cert is type 2, but I really dont know if that has anything to do with ACMEv1 vs ACMEv2.

[sksbir]

I see in the release notes that 3.4.6.RCO3 (released on 2019-12-25) should have introduced ACMEv2. I've been running 3.4.7.RFO2 for over 5 weeks now, but I recently got an email from Let's Encrypt saying that ACMEv1 was used on 2020-04-29 to renew my certs.

I see a crontab entry for root on my AS5104T that is executing this daily at midnight:

Code: Select all

0 0 * * * TAG=CERTIFICATE /usr/builtin/bin/certificate update-cert

Anyone figure out how this client works? I looked at the binary, and it reads the file /usr/builtin/etc/certificate/certificate.json, which seems to show that my Let's Encrypt cert is type 2, but I really dont know if that has anything to do with ACMEv1 vs ACMEv2.

Same for me. I got the mail a second time from LetsEncrypt.
Meanwhile, Asustor support answered to case : We have already updated to ACME to v2 already..

Maybe letsencrypt send mail at each renewal, regardless of version used.

[gunemalli]

I have an AS1002T v2 with ADM v3.5.0.R5D3. This uses acme.sh instead of certbot and has no issues with LetsEncrypt. Maybe try updating the ACME client software and see if that helps (mine is v2.0.0.r5). I have worked with acme.sh a lot for other linux deployments and it has a ton of functionality that the certbot doesn't have.

[jauling]

Not sure why this is still an issue, but I'm on an AS5104T running 3.5.4.RE11, and got an email today saying I'm using ACMEv1, and that ACMEv1 will be retired on June 1 2021. My crontab for root has no mention of acme.sh.

You guys think this is just blind spam from Let's Encrypt? The email seems pretty specific, unless it's a canned copy/paste.

According to our records, your Let's Encrypt software client renewed a
TLS/SSL certificate recently using the ACMEv1 protocol.